sec-check
Security review checklist for Convex functions, auth logic, public queries, admin routes, webhooks, uploads, and AI-generated code. Use when reviewing code that touches user data, PII, or access control.
Best use case
sec-check is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Security review checklist for Convex functions, auth logic, public queries, admin routes, webhooks, uploads, and AI-generated code. Use when reviewing code that touches user data, PII, or access control.
Teams using sec-check should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/sec-check/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How sec-check Compares
| Feature / Agent | sec-check | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Security review checklist for Convex functions, auth logic, public queries, admin routes, webhooks, uploads, and AI-generated code. Use when reviewing code that touches user data, PII, or access control.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Security Review Skill Use this skill when reviewing Convex functions, auth logic, public query shapes, admin routes, webhooks, uploads, or any AI generated code that touches user data. ## When to use it Reach for this skill when: - a mutation writes user or admin data - a public query returns package or user data - an internal function should be separated from a public wrapper - a form collects names, emails, or other contact info - a webhook, upload, or API key flow is added - AI generated code needs a security pass before shipping ## Auth and ownership checks - Call `ctx.auth.getUserIdentity()` before authenticated writes. - Never trust client supplied user ids for ownership. - Prefer indexed ownership checks over fetch then compare patterns. - Use `internalQuery`, `internalMutation`, and `internalAction` for sensitive backend work. - Keep public wrappers thin. Do auth and access checks there, then call internal functions. - Return generic `Not found` style errors when you should not reveal existence. ## Data exposure rules - Public queries should return public safe shapes only. - Strip PII like email, name, Discord handle, internal notes, AI review details, or admin metadata unless the caller is allowed to see them. - Add explicit return validators on public functions so the response shape stays tight. - Mutations should return minimal data, usually ids or `null`, not the submitted object. - Treat everything returned by a query as visible in browser DevTools and WebSocket traffic. ## Sensitive integrations - Keep secrets in server side environment variables only. - Validate webhook signatures before processing. - Restrict CORS for sensitive endpoints. - Validate upload types and file sizes server side. - Do not send user PII into AI prompts when it is not required for the task. - Use simple actor labels like `AI` or `System`, not fake email addresses, for automated actions. ## AI generated code checks - Watch for missing `returns` validators. - Watch for public `query` or `mutation` usage where `internal*` should be used. - Watch for `ctx.db.get()` plus client supplied ids in ownership checks. - Watch for full objects returned from public queries or mutations. - Watch for vague or over detailed error messages that leak internal state. ## Verification checklist - Open the browser network panel and inspect WebSocket or XHR responses for sensitive fields. - Hard refresh after deploying security changes so cached subscriptions do not fool the test. - Verify public queries exclude PII and internal metadata. - Verify admin queries require auth and admin checks before returning full data. - Verify mutations return minimal data. - Verify any new action or integration logs full errors only on the server side.
Related Skills
Update project docs
Use this skill after completing any feature, fix, or migration to keep the three core project tracking files in sync.
robel-auth
Integrate and maintain Robelest Convex Auth in apps by always checking upstream before implementation. Use when adding auth setup, updating auth wiring, migrating between upstream patterns, or troubleshooting @robelest/convex-auth behavior across projects.
Create a PRD
Use this skill before any multi-file feature, architectural decision, or complex bug fix.
convex-self-hosting
Integrate Convex static self hosting into existing apps using the latest upstream instructions from get-convex/self-hosting every time. Use when setting up upload APIs, HTTP routes, deployment scripts, migration from external hosting, or troubleshooting static deploy issues across React, Vite, Next.js, and other frontends.
convex-return-validators
Guide for when to use and when not to use return validators in Convex functions. Use this skill whenever the user is writing Convex queries, mutations, or actions and needs guidance on return value validation. Also trigger when the user asks about Convex type safety, runtime validation, AI-generated Convex code, Convex AI rules, Convex security best practices, or when they're debugging return type issues in Convex functions. Trigger this skill when users mention "validators", "returns", "return type", or "exact types" in the context of Convex development. Also trigger when writing or reviewing Convex AI rules or prompts that instruct LLMs how to write Convex code.
convex-doctor
Run convex-doctor static analysis, interpret findings, and fix issues across security, performance, correctness, schema, and architecture categories. Use when running convex-doctor, fixing convex-doctor warnings or errors, improving the convex-doctor score, or when asked about Convex code quality, static analysis, or linting Convex functions.
write
Writing style guide for technical content, social media, blog posts, READMEs, git commits, and developer documentation. Optimized to avoid AI detection patterns. Use when writing any content beyond code.
workflow
Project workflow for PRDs, task tracking, changelog sync, and documentation updates. Use for any non-trivial task that spans multiple steps, touches several files, changes architecture, or needs project tracking updates. Also activates with @update to sync task.md, changelog.md, and files.md after completing work.
schema-builder
Design and generate Convex database schemas with proper validation, indexes, and relationships. Use when creating schema.ts or modifying table definitions.
real-time-backend
Build reactive, type-safe, production-grade backends. ALWAYS use this skill when the user asks to build, plan, design, or implement backend features, APIs, data models, server logic, database schemas, web apps, full stack apps, or mobile apps. This includes planning and architecture discussions.
react-effect-decision
Combine React's official "You Might Not Need an Effect" guidance with this project's stricter no direct useEffect stance. Use when writing, reviewing, or refactoring React components that might reach for useEffect, derived state, event relays, reset logic, subscriptions, or client fetching.
migration-helper
Plan and execute Convex schema migrations safely, including adding fields, creating tables, and data transformations. Use when schema changes affect existing data.